> On April 13, 2019, 10:33 p.m., Madhan Neethiraj wrote: > > plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java > > Lines 395 (patched) > > <https://reviews.apache.org/r/70394/diff/3/?file=2138886#file2138886line395> > > > > Is it necessary to set each resource value to '{NONE}'? This require > > policy to have a matching value (like '*', '{NONE}'). If this is not > > intentional, consider setting value only for known resources. > > > > For example, to authorize schema-create, RangerPrestoResource should > > only have value for 'schema'; other resources shouldn't have any value. > > Policy engine will consider only policies that have '*' or no value for all > > child resources (in this case table and column). This will also result in a > > cleaner resource-name in audit logs i.e. catalogName/schemaName instead of > > catalogName/schemaName/{NONE}/{NONE} > > Bolke de Bruin wrote: > The example you are giving is exactly the problem (which as far as we > know also goes for, for example, Hive). E.g. if I would to set a control for > a Catalog, Ranger will happily match *everything* below Catalog (so all > schemas) if I did not exclude them explicitely. > > It has been brought up before here: > https://community.hortonworks.com/questions/69381/how-to-define-ranger-policies-in-ui-for-non-leaf-r.html > and the suggestion is to use a different set of permissions as a > *workaround* and requires changes to the service definition. In addition that > requires a different permission for every operation. We consider this > suboptimal and a design issue. > > Hence we use "{NONE}" and have explicit a "NULL". Probably we should > bring this up as an improvement to Ranger overall. > > Madhan Neethiraj wrote: > Enhancements introduced in RANGER-1781 can help address your concerns. In > short, isValidLeaf=true should be set for resources catalog, schema and table > in the service-def for Presto. With this in place, policies can be created > only at catalog level (without having to specify any value for schema and > table); and such policies will not be applied for requests that include > resources other than catalog. I suggest you try this approach.
O nice, I wasn't aware of that (a quick scan does not show any of the other service definitions using it yet). That should work - Bolke ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/70394/#review214651 ----------------------------------------------------------- On April 12, 2019, 7:33 a.m., Bolke de Bruin wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/70394/ > ----------------------------------------------------------- > > (Updated April 12, 2019, 7:33 a.m.) > > > Review request for ranger and Abhay Kulkarni. > > > Bugs: https://issues.apache.org/jira/browse/RANGER-2395 > > https://issues.apache.org/jira/browse/https://issues.apache.org/jira/browse/RANGER-2395 > > > Repository: ranger > > > Description > ------- > > Presto Plugin for Ranger. > > > Diffs > ----- > > agents-common/scripts/enable-agent.sh b4194a736 > > agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java > cbfd649c9 > agents-common/src/main/resources/service-defs/ranger-servicedef-presto.json > PRE-CREATION > plugin-presto/conf/ranger-policymgr-ssl-changes.cfg PRE-CREATION > plugin-presto/conf/ranger-policymgr-ssl.xml PRE-CREATION > plugin-presto/conf/ranger-presto-audit-changes.cfg PRE-CREATION > plugin-presto/conf/ranger-presto-audit.xml PRE-CREATION > plugin-presto/conf/ranger-presto-security-changes.cfg PRE-CREATION > plugin-presto/conf/ranger-presto-security.xml PRE-CREATION > plugin-presto/pom.xml PRE-CREATION > plugin-presto/scripts/install.properties PRE-CREATION > > plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java > PRE-CREATION > > plugin-presto/src/main/java/org/apache/ranger/services/presto/RangerServicePresto.java > PRE-CREATION > > plugin-presto/src/main/java/org/apache/ranger/services/presto/client/PrestoClient.java > PRE-CREATION > > plugin-presto/src/main/java/org/apache/ranger/services/presto/client/PrestoConnectionManager.java > PRE-CREATION > > plugin-presto/src/main/java/org/apache/ranger/services/presto/client/PrestoResourceManager.java > PRE-CREATION > pom.xml 2a45f8b2d > ranger-presto-plugin-shim/pom.xml PRE-CREATION > > ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/PrestoRangerPlugin.java > PRE-CREATION > > ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerConfig.java > PRE-CREATION > > ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java > PRE-CREATION > > ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControlFactory.java > PRE-CREATION > > ranger-presto-plugin-shim/src/main/resources/META-INF/services/io.prestosql.spi.Plugin > PRE-CREATION > src/main/assembly/admin-web.xml 06ba8c4f0 > src/main/assembly/plugin-presto.xml PRE-CREATION > > > Diff: https://reviews.apache.org/r/70394/diff/3/ > > > Testing > ------- > > Tested in production. > > https://issues.apache.org/jira/browse/RANGER-2395 > > > Thanks, > > Bolke de Bruin > >
